Operational risk is the risk of loss resulting from inadequate
or failed internal processes, people and systems, or external
events. Operational risk can arise from a technology failure,
human or technical errors in financial models and reporting, or
other internal control system deficiencies. In the case of
RDC, operational risk (i.e., image/data quality, business
continuity, information security, etc.) increases when deposit
processing occurs at the customer location which is outside of the
financial institution's direct control. As a result, the
financial institution could experience delays or disruptions in
processing, clearing, and settling retail payment transactions that
could lead to credit and liquidity problems at other financial
institutions.

Operational risk can also arise from fraud perpetrated by
employees or by external sources. A financial institution is
exposed to operational risk from fraud when a wrongful or criminal
deception can lead to a financial loss for one of the parties
involved. While fraud risk in traditional ACH activity is
low, new ACH products and services, such as one-time ACH debits
from Internet-based and telemarketing merchants (WEB and TEL) pose
considerable fraud potential. With traditional ACH activity,
financial institutions have employed strong front-end fraud
controls for recurring debits they originate. These controls
are typically not present with WEB and TEL transactions. The
continuing growth of check-to-ACH conversion, check truncation, and
the growing use of RCCs, RDC, and electronically created payment
orders present new forms of fraud risks. In these situations,
liability typically rests with the financial institution where the
check is first deposited or the ACH item is originated. In
the case of electronically created payment orders, liability rests
with the financial institution that sends the file to the Reserve
Bank or other correspondent. As operational processes
continue to change, financial institutions will need to enhance
their internal controls, as described below, to mitigate
operational risk. Existing control mechanisms may not be as
effective as necessary.

Newer retail payment mechanisms, particularly using the
Internet, also subject customers and financial institutions to
fraud risk exposure. All of these highly automated processes
typically reflect a reengineering of the existing check processes,
and the existing fraud controls may not be adequate. The
creation of fraudulent electronic transactions could lead to
financial losses if fraudulent balances are successfully exchanged
for a readily transferable form of funds, such as currency.

Operational risk controls should include sound information
systems, and procedural, administrative and legal measures to
prevent or limit financial loss. System measures include
monetary and time limits (per transaction, per payment instrument,
per client), personal authentication, and encryption techniques to
ensure the authenticity and integrity of the payer and transaction
information. Additional controls include the use of
certified, tamper-resistant equipment (e.g., EFT/POS terminals),
logical access controls to verify transactions, online verification
of account balances, logging of all transactions and attempts to
make a transaction, and the use of serial numbers and check
digits.

Financial institutions can create a fraud detection control
through a due diligence program for new account acceptance coupled
with ongoing, automated monitoring of deposit account
transactions. Account monitoring should be facilitated
through the use of caps, limits, and triggers to measure activity
on an intraday basis. Financial institutions use a variety of
automated databases, such as credit bureaus, to review new accounts
prior to or soon after opening the accounts. Institutions
also use a number of vendor-supported automated algorithms to
review deposit account transactions for unusual activity related to
kiting or other fraud.

Other procedural measures for reducing fraud include:
closely monitoring return rates for all customers, appropriate dual
custody and separation of duties for critical payment transaction
processing and accounting tasks, payment data verification, clear
error processing and escalation procedures, and confidential and
tamper-resistant mailing procedures for bankcards and other
sensitive material. Account reconcilement processes are vital
to early detection of errors and fraud. Administrative
measures should include IT audit coverage of operational controls,
legal controls (including regulatory compliance and agreements),
and personnel issues associated with staffing and training.

In the event of an unauthorized use of a payment card, the
cardholder's liability is limited to a specified amount if he or
she notifies the card issuer of the theft or loss within a set time
limit. To limit their own losses from POS card fraud, the
bankcard companies require vendors to match the cardholder's
signature on the card with the signature on the payment voucher at
the POS. The bankcard companies have also introduced
extensive monitoring and reporting controls to limit fraudulent
activity.

In a broader view of operational risk management, financial
institutions should employ vendor management programs that provide
for due diligence of new service providers as well as ongoing
monitoring of existing vendors. An effective vendor
management program will focus on data security and business
continuity.

In addition, a more effective approach to mitigate fraud risk
may be to view this risk potential across channels. This
requires an enterprise view of the range of retail payments
activities. Those payments that use multiple payment channels
for processing and clearing are subject to an increased level of
fraud risk because traditional fraud detection and prevention
measures are designed for single channels. Fraud is more
likely to migrate to those channels where fraud detection and
prevention measures are less developed.

Mitigation of Operational Risk

Financial institutions should adopt measures that limit
operational risks arising from the processing, clearing, and
settlement of retail payments. Financial institutions and
technology service providers participating in clearing and
settlement arrangements for retail payments should ensure
operational reliability for timely completion of daily processing
through adequate information systems, internal controls, backup
facilities, reliable technology, and adequate staff training and
support. Furthermore, these organizations should adopt
business continuity plans to minimize and manage the effects of
interruptions. Risk analysis should identify confidential
assets, critical operations, and potential threats. It should
also define safeguards and countermeasures to provide appropriate
protection.

Risk from fraud or error from customers that generate high
volumes of RDCs, electronically created payment orders, or RCCs can
be managed more effectively with the use of activity and fraud
monitoring tools for those customers. Financial institutions
that originate large volumes of ACH transactions directly or
through third-party service providers should also consider these
tools as part of their due diligence. Fraud databases and
fraud analysis tools can assist financial institutions in detecting
and controlling potential fraud risk. Some bankcard
associations and Internet banking applications use neural network
technologies or behavioral fraud analysis. These technologies
utilize specialized software and hardware designed to identify
patterns of behavior that enable financial institutions to identify
suspicious transactions or spending. The bankcard companies
have also developed numerous fraud detection and avoidance systems
that member financial institutions can use to reduce losses as a
result of fraudulent bankcard use. The growth of e-commerce
has led many financial institutions and service providers to
develop additional databases that provide early identification of
potential fraud.

Identifying, evaluating, and addressing potential legal and
compliance risks associated with new payment systems providers can
also help mitigate operational risk. For example, a thorough
legal review process can ensure that there are clearly defined
roles and responsibilities for the financial institution, its
service providers, and its customers. Financial
institutions should also comply with the regulations and consumer
compliance mandates that apply to retail payment services (e.g.,
Regulation E).

Financial institutions also should have appropriate risk control
functions such as audit, information security, vendor management,
and business continuity, as discussed in the following
sections.